# bash completion for firewall-cmd                         -*- shell-script -*-

# Copyright (C) 2013 Red Hat, Inc.
#
# Authors:
# Jiri Popelka <jpopelka@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#


# TODO: find a way how to get the following options from firewall-cmd

OPTIONS_LOCKDOWN="--add-lockdown-whitelist-command= --remove-lockdown-whitelist-command= \
       --query-lockdown-whitelist-command= --list-lockdown-whitelist-commands \
       --add-lockdown-whitelist-context= --remove-lockdown-whitelist-context= \
       --query-lockdown-whitelist-context= --list-lockdown-whitelist-contexts \
       --add-lockdown-whitelist-uid= --remove-lockdown-whitelist-uid= \
       --query-lockdown-whitelist-uid= --list-lockdown-whitelist-uids  \
       --add-lockdown-whitelist-user= --remove-lockdown-whitelist-user= \
       --query-lockdown-whitelist-user= --list-lockdown-whitelist-users"

# can be used as standalone or with --permanent
OPTIONS_CONFIG="--get-zones --get-services --get-icmptypes --get-helpers \
                ${OPTIONS_LOCKDOWN} --list-all-zones \
                --info-zone= --info-service= --info-icmptype= \
		--info-ipset= --info-helper="

OPTIONS_ZONE_INTERFACES_SOURCES="\
            --add-interface= --remove-interface= --query-interface= \
            --list-interfaces --change-interface= --change-zone= \
            --add-source= --remove-source= --query-source= \
            --change-source= --list-sources"

OPTIONS_ZONE_ACTION_ACTION="--add-service= --remove-service= --query-service= \
                       --add-port= --remove-port= --query-port= \
                       --add-source-port= --remove-source-port= --query-source-port= \
                       --add-protocol= --remove-protocol= --query-protocol= \
                       --add-icmp-block= --remove-icmp-block= --query-icmp-block= \
                       --add-forward-port= --remove-forward-port= --query-forward-port="

OPTIONS_ZONE_ADAPT_QUERY="--add-rich-rule= --remove-rich-rule= --query-rich-rule= \
                    --add-icmp-block-inversion --remove-icmp-block-inversion \
                    --query-icmp-block-inversion \
                    --add-masquerade --remove-masquerade --query-masquerade \
                    --list-services --list-ports --list-protocols \
                    --list-source-ports --list-icmp-blocks \
                    --list-forward-ports --list-rich-rules --list-all"

OPTIONS_ZONE_PERMANENT_ONLY="--get-description --get-short \
                             --set-description= --set-short="

OPTIONS_IPSET_ACTION_ACTION="--add-entry= --remove-entry= --query-entry= --add-entries-from-file= --remove-entries-from-file"

OPTIONS_IPSET_ADAPT_QUERY="--list-entries"

# can be used with/without preceding --zone=<zone>
OPTIONS_ZONE="${OPTIONS_ZONE_INTERFACES_SOURCES} \
              ${OPTIONS_ZONE_ACTION_ACTION} ${OPTIONS_ZONE_ADAPT_QUERY}
              ${OPTIONS_ZONE_PERMANENT_ONLY}"

OPTIONS_IPSET="${OPTIONS_IPSETACTION_ACTION} ${OPTIONS_IPSET_ADAPT_QUERY}"

OPTIONS_PERMANENT_ONLY="--new-icmptype= --new-icmptype-from-file= --delete-icmptype= \
                        --new-service= --new-service-from-file= --delete-service= \
                        --new-zone= --new-zone-from-file= --delete-zone= \
                        --new-ipset= --new-helper-from-file= --delete-ipset= \
                        --new-helper= --new-helper-from-file= --delete-helper= \
                        --get-target --set-target= \
                        --path-zone= --path-service= --path-icmptype= \
                        --path-ipset= --path-helper="

OPTIONS_NEW_IPSET="--type= --option="

OPTIONS_NEW_HELPER="--module= --family="

OPTIONS_HELPER=""

# can be used after --permanent
OPTIONS_PERMANENT="${OPTIONS_CONFIG} --zone= ${OPTIONS_ZONE} \
                   ${OPTIONS_PERMANENT_ONLY}"

OPTIONS_DIRECT="--passthrough \
        --add-chain --remove-chain --query-chain --get-chains --get-all-chains \
         --add-rule --remove-rule  --remove-rules --query-rule  --get-rules  --get-all-rules \
         --add-passthrough --remove-passthrough \
         --query-passthrough --get-passthroughs --get-all-passthroughs"

# these all can be used as a "first" option
OPTIONS_GENERAL="--help --version \
                 --state --reload --complete-reload \
                 --panic-on --panic-off --query-panic \
                 --get-log-denied --set-log-denied= --get-ipset-types \
                 --lockdown-on --lockdown-off --query-lockdown \
                 --get-default-zone --set-default-zone= --get-active-zones \
                 --get-zone-of-interface= --get-zone-of-interface= \
                 ${OPTIONS_CONFIG} \
                 --zone= ${OPTIONS_ZONE} \
                 --permanent --direct"

_firewall_cmd()
{
    local cur prev words cword split
    _init_completion -s || return

    case $prev in
    --*-entries-from-file|--new-*-from-file)
	_filedir
	return
        ;;
    --new-ipset*)
        if [[ "$cur" == -* ]]; then
            COMPREPLY=( $( compgen -W "${OPTIONS_NEW_IPSET}" -- "$cur") )
        fi
        ;;
    --new-helper*)
        if [[ "$cur" == -* ]]; then
            COMPREPLY=( $( compgen -W "${OPTIONS_NEW_HELPER}" -- "$cur") )
        fi
        ;;
    --new-*)
        ;;
    --zone|--set-default-zone|--info-zone|--path-zone)
        if [[ ${words[@]} == *--permanent* ]]; then
          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-zones`' -- "$cur" ) )
        else
          COMPREPLY=( $( compgen -W '`firewall-cmd --get-zones`' -- "$cur" ) )
        fi
        ;;
    --zone=*)
        COMPREPLY=( $( compgen -W "${OPTIONS_ZONE}" -- "$cur" ) )
        ;;
    --ipset=*)
        COMPREPLY=( $( compgen -W "${OPTIONS_IPSET}" -- "$cur" ) )
        ;;
    --*-ipset)
        if [[ ${words[@]} == *--permanent* ]]; then
          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-ipsets`' -- "$cur" ) )
        else
          COMPREPLY=( $( compgen -W '`firewall-cmd --get-ipsets`' -- "$cur" ) )
        fi
        ;;
    --*-service)
        if [[ ${words[@]} == *--permanent* ]]; then
          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-services`' -- "$cur" ) )
        else
          COMPREPLY=( $( compgen -W '`firewall-cmd --get-services`' -- "$cur" ) )
        fi
        ;;
    --helper|--info-helper|--path-helper)
        if [[ ${words[@]} == *--permanent* ]]; then
          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-helpers`' -- "$cur" ) )
        else
          COMPREPLY=( $( compgen -W '`firewall-cmd --get-helpers`' -- "$cur" ) )
        fi
        ;;
    --helper=*)
        COMPREPLY=( $( compgen -W "${OPTIONS_HELPER}" -- "$cur" ) )
        ;;
    --*-icmp-block|--info-icmptype|--path-icmptype)
        if [[ ${words[@]} == *--permanent* ]]; then
          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-icmptypes`' -- "$cur" ) )
        else
          COMPREPLY=( $( compgen -W '`firewall-cmd --get-icmptypes`' -- "$cur" ) )
        fi
        ;;
    --list-services|--add-service=*|--remove-service=*|--query-service=*|\
    --list-ports|--add-port=*|--remove-port=*|--query-port=*|\
    --list-source-ports|--add-source-port=*|--remove-source-port=*|--query-source-port=*|\
    --list-protocols|--add-protocol=*|--remove-protocol=*|--query-protocol=*|\
    --list-icmp-blocks|--add-icmp-block=*|--remove-icmp-block=*|--query-icmp-block=*|\
    --list-forward-ports|--add-forward-port=*|--remove-forward-port=*|--query-forward-port=*|\
    --list-interfaces|--add-interface=*|--remove-interface=*|--query-interface=*|\
    --list-sources|--add-source=*|--remove-source=*|--query-source=*|\
    --add-masquerade|--remove-masquerade|--query-masquerade|--list-all|\
    --get-description|--get-short|--set-description=*|--set-short=*)
        opts=""
        # --add and --remove can be used multiple times
        if [[ ( ${prev} == --add-* ) || ( ${prev} == --remove-* ) ]]; then
          [[ ${prev} == *=* ]] && opts="${prev%=*}=" || opts="${prev}"
        fi
        if [[ ! ${words[@]} == *--permanent* ]]; then
          opts="${opts} --permanent"
          [[ ${prev} == --add-* ]] && opts="${opts} --timeout="
        fi
        [[ ! ${words[@]} == *--zone=* ]] && opts="${opts} --zone="
        if [ -n "${opts}" ]; then
            COMPREPLY=( $( compgen -W "${opts}" -- "$cur" ) )
        fi

        ;;
    --*-interface|--change-zone)
        _available_interfaces
        ;;
    --permanent)
        [[ ${words[@]} == *--direct* ]] && opts="${OPTIONS_DIRECT}" || opts="${OPTIONS_PERMANENT} --direct"
        COMPREPLY=( $( compgen -W "${opts}" -- "$cur" ) )
        ;;
    --direct)
        [[ ${words[@]} == *--permanent* ]] && opts="${OPTIONS_DIRECT}" || opts="${OPTIONS_DIRECT} --permanent"
        COMPREPLY=( $( compgen -W "${opts}" -- "$cur" ) )
        ;;
    --*-rich-rule)
        # to not be matched with --*-rule below
        return 0
        ;;
    --passthrough|--*-chain|--get-chains|--*-rule|--get-rules|--remove-rules)
        COMPREPLY=( $( compgen -W 'ipv4 ipv6 eb' -- "$cur" ) )
        ;;
    ipv4|ipv6|eb)
        if [[ ${words[@]} == *--passthrough* ]]; then
            return 0
        else
            COMPREPLY=( $( compgen -W 'nat filter mangle' -- "$cur" ) )
        fi
        ;;
    *)
        if [[ "$cur" == -* ]]; then
	    if [[ ${words[@]} == *--new-ipset* ]]; then
		COMPREPLY=( $( compgen -W "${OPTIONS_NEW_IPSET}" -- "$cur") )
	    else
		COMPREPLY=( $( compgen -W "${OPTIONS_GENERAL}" -- "$cur") )
	    fi
        fi
        ;;
    esac

    # do not append a space to words that end with =
    [[ $COMPREPLY == *= ]] && compopt -o nospace

} &&
complete -F _firewall_cmd firewall-cmd
